How often does your company run Pen testing in relation to cybersecurity?


Every 6 months42%



Have never7%


1.9k views4 Comments

CISO in Software, 201 - 500 employees
Smart companies have a multi-level pen testing strategy which they dynamically align with the business. Doing one end2end semi-automated fuzz test may work just fine for a stable application with little volume of architectural/technology changes, providing that it is being scanned for vulnerabilities regularly and minor releases are accompanied with automated pen tests (say via Burp suite) which are integral part of regression testing. The same strategy could fail horribly in the early stages of development, when there are major architectural changes introduced shortly after the test, etc etc. Having a managed bug bounty program should be considered too, and the outcomes of this program should be used to refine the pen test plan too.
Associate Vice President, Information Technology & CISO in Education, 1,001 - 5,000 employees
We are moving toward continuous monitoring 365x7x24 on crown jewels.
2 2 Replies
CEO, MSSP - High Assurance Cybersecurity SOC in Services (non-Government), 1,001 - 5,000 employees

John, I'd be interested in knowing if your conmon plan replaces Pentesting or ? 

Associate Vice President, Information Technology & CISO in Education, 1,001 - 5,000 employees

The service we use is via Synack, and it's 24x7x365 pentesting / red teaming. We give them scope (e.g. IPs to test) and they have at it all year, and report back with exploitable vulnerabilities, with detailed reproduction steps and ways to fix. Once we fix, we submit for verification and they check again until it truly is fixed.

When there's a specific system / service we want to test, we use Synack for focused missions against that system / service.

It has been a really great solution, as traditional pentesting may throw 1, 2, maybe 3 testers at your solution if you're lucky. With the crowdsourced model you can have hundreds, with wide ranging skillsets, testing your system. The results speak for themselves, and I won't ever go back to the previous model.


Content you might like

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
42k views131 Upvotes319 Comments


Cyber Security40%


Information Security9%


1.2k views3 Upvotes1 Comment

Yes, going with a best of breed model - multi-vendor27%

Yes, going with a single vendor SASE model53%

Learning/Planning Phase11%



374 views1 Comment